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(54) Authentication in telecommunication system 

(57) Method of controlling access from a terminal to 
a telecommunications network (38), the method com- 
prises the steps of: 

establishing communication between the terminal 
(32) and an interface means (33, 34, 35); 
transmitting a request for access and authentication 
data from the terminal (32) to the first access control 
means (33), 

forwarding the request for access to a secure ac- 
cess control system (36) arranged to provide ac- 
cess to the telecommunications network (38) only 
for selected terminals (32); 



transmitting a login prompt signal from the secure 
access control system (36) to the telecommunica- 
tions terminal (32) in response to the request for ac- 



returning a login signal from the telecommunica- 
tions terminal (32) to the secure access control sys- 
tem (36); 

comparing the login signal with data stored in a user 
authentication database (37) associated with the 
secure access control system (36); 
providing a connection to the telecommunications 
network (38) if the comparison is validated. 
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Description 

[0001 ] This invention relates to the provision of secure 
access for telecommunications systems, and in partic- 
ular in the provision of secure access to distributed or 
other computer networks using dial-in telecommunica- 
tions links. Provision of secure access is necessary to 
prevent abuses by unauthorised users, for example by 
gaining access to confidential data such as that availa- 
ble on private "Intranets". 

[0002] it is common practice to provide secu re access 
to systems by requiring the user to enter a security code 
(Personal Identity Number or "PIN") known only to the 
authorised user. This can be achieved by providing an 
access control system and arranging that access to the 
secure data is only possible through the access control 
system. (The secure data is described as being within 
a "firewall", and access through the firewall is only pos- 
sible through the access control system). The access 
control system prompts the user to provide a user iden- 
tity and a Personal Identity Number (PIN) or"password n ) 
which, if provided correctly, causes the access control 
system to allow the user access to the secure data. 
[0003] The access control procedure requires the us- 
er terminal to be configured to interrupt the log-in proc- 
ess by prompting the user to enter the access code, and 
to abort the log-in process if the correct code is not trans- 
mitted. Although typical general-purpose desktop and 
laptop computers can be configured to do this, the proc- 
ess Is cumbersome, and inconvenient if the terminal is 
only likely to be used for secure access occasionally. 
[0004] Moreover, some devices and systems current- 
ly on the market, such as "WAP" (Wireless Application 
Protocol) telephones, do not have a permanent connec- 
tion to the telecommunications system - every time an 
attempt is made to access data effectively begins a new 
session. It is therefore necessary to authenticate the ter- 
minal every time it is used to access data. This would 
obviously be very tedious. For this reason the login proc- 
ess is automated. The user identification is permanently 
programmed into the operating system, and it does not 
have the capability to interrupt the network connection 
process to provide any authentication codes. The 
phones can therefore operate as a normal anonymous 
internet connection and do not have the ability to allow 
the user to enter a security code after dialling, and there- 
fore cannot be used to allow secure network login. 
[0005] According to the invention, there is provided 
an access control system for controlling a gateway serv- 
er giving access from a terminal to a telecommunica- 
tions network, comprising: 

interface means for connection to a telecommuni- 
cations terminal, the interface means having first 
access control means arranged to receive authen- 
tication data generated automatically by the termi- 
nal to permit access to the telecommunications net- 
work; 



and a secure access system connected to the inter- 
face means and comprising second access control 
means to provide access to the telecommunications 
network only to selected terminals 

5 the second access control means having a user au- 
thentication database, and means for generating a 
login prompt signal for transmission to the telecom- 
munications terminal in response to a request for 
access, means for comparing a login signal re- 

10 ceived from the telecommunications terminal with 
data stored in the user authentication database and 
means for providing a connection to the telecom- 
munications network. 

15 [0006] According to another aspect, there is provided 
a method of controlling access from a terminal to a tel- 
ecommunications network, the method comprising the 
steps of: 

20 establishing communication between the terminal 
and an interface means; 

transmitting an automatic request for access, ac- 
companied by authentication data, from the termi- 
nal to the first access control means, 
25 forwarding the request for access, to a secure ac- 
cess control system arranged to provide access to 
the telecommunications network only for selected 
terminals; 

transmitting a login prompt signal from the secure 
30 access control system to the telecommunications 
terminal in response to the request for access; 
returning a login signal from the telecommunica- 
tions terminal to the secure access control system; 
comparing the login signal with data stored in a user 
35 authentication database associated with the secure 
access control system; 

providing a connection to the telecommunications 
network if the comparison is validated. 

40 [0007] The interface means may also convert data be- 
tween a system compatible with the telecommunica- 
tions terminal (for example WML/WTP) and a system 
compatible with the second access system (for example 
HTML/HTTP). 

45 [0008] Preferably the second access control means 
generates a signal in response to a successful compar- 
ison, to cause a value to be stored indicative of the tel- 
ecommunications terminal requesting access, 

so incoming requests for access are associated with 
the stored values, 

and the access control means is controlled to make 
a connection to the telecommunications network 
without the generation of a further login prompt if 
ss such a stored value is provided in respect of the tel- 
ecommunications terminal making the request. 

[0009] The invention may be used with any suitable 
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transport protocol. The embodiment to be described is 
designed for use with WAP (Wireless Access Protocol) 
phones, which establish an Internet Protocol session 
and then pass WTP (WAP Transport Protocol) signalling 
over this connection to connect to a WAP server. 
[0010] An embodiment of the invention will now be de- 
scribed, by way of example, with reference to the draw- 
ings in which: 

Figure 1 illustrates schematically a conventional se- 
cure access system 

Figure 2 illustrates schematically a conventional 
wireless application protocol access system 
Figure 3 illustrates schematically a system accord- 
ing to the invention 

Figure 4 is a flow chart illustrating the operation of 
the system of Figure 3 

The conventional system shown in Figure 1 is de- 
signed for secure access to a private "Intranet" net- 
work 1 8. A "firewall" 19 is defined, across which ac- 
cess can only be gained from a user terminal 20 
through an access control platform 1 6. The Intranet 
18 can only be accessed through this access con- 
trol platform 16. When a connection is made from 
the terminal 20 to the access control platform 16, 
the access control platform returns a login screen 
to the terminal 1 6. The user then enters a user iden- 
tification code and a password, which are read by 
the access control system 16. The identification 
code and password are compared with data stored 
in a security server 1 7 and connection is made to 
the network 1 8 if the code and password are recog- 
nised as valid. The connection to the network 18 is 
maintained for as long as the user maintains the 
connection between his terminal 20 and the access 
control system 16. 

[0011] In the most secure systems a pseudo-random 
code is also required. The user has an electronic "token" 
which displays a code, which changes, typically every 
few minutes, according to a pseudo-random algorithm. 
The access control system 16 runs the same algorithm, 
and can therefore verify whether the code entered by 
the user is the currently-correct code. In combination 
with password control, this arrangement ensures that 
only someone who not only knows the user's password 
and is also currently in possession of the token can ac- 
cess the system. Neither theft of the token, nor illicit ac- 
quisition of the password, for example by observation of 
keystrokes ("shoulder-surfing"), is on its own sufficient 
to gain access to the system. 
[0012] Internet-compatible mobile handsets are now 
becoming available, working according to the "WAP" 
(Wireless Access Protocol) standard. The proposed 
"Universal Mobile Telephone System" (UMTS) - also 
known as Third Generation Mobile System" (TGMS) 
will also allow access to data services. Because of the 
relatively high cost of "airtime" for mobile communica- 



tions, the access arrangements for WAP and UMTS sys- 
tems differ from those used by fixed terminals. As shown 
in Figure 2, the user terminal 22 contacts an interface 
23 known as a RAS - Remote Access Server - which 

s provides authentication and connectivity to dial-in devic- 
es. The terminal automatically transmits its user identi- 
fication code and password, which are verified by the 
remote access server 23. A further check may be made 
using the "Calling Line identity" (CLI) of the handset 22. 

io Access to the network (the "Internet") 28 is then allowed. 
[001 3] Internet sites generally use a format known as 
HTML - Hyper Text Markup Language. WAP handsets 
use a similar, but not identical format known as WML - 
Wireless Markup Language. The transport protocol gen- 

is erally used within the internet is HTTP - Hyper Text 
Transport Protocol, but a more efficient protocol is used 
to transport WML pages to WAP phones, known as WTP 
- Wireless Transport Protocol. Therefore if a standard 
Internet page is to be accessed by a WAP phone 22 a 

20 WAP Gateway 24 is required to convert data from HTTP 
to WTP for delivery over an IP link to WAP phones, and 
a transcoder 25 is also required, to translate HTML pag- 
es to WML and vice versa. 

[0014] In these systems the identification of the user 
25 22 is required primarily to arrange for the call to be paid 
for and to ensure the handset 22 has not been barred, 
for example because it has been reported stolen. Ac- 
cess control is therefore relatively simple. Since the 
handsets are, by their nature, portable, they are less 
30 likely to be left unattended than fixed terminals are. Con- 
sequently, the user is likely to be aware of any potential 
for unauthorised use, for example as a result of theft, 
relatively quickly 

[001 5] However, because the login takes place auto- 
35 matically, there is no manual password entry and there- 
fore no safeguarding of access to protected sites. The 
present invention seeks to allow such sites to be ac- 
cessed by such systems with a similar degree of security 
to existing fixed systems. However, because each re- 
40 quest made by a user terminal 22 for information from 
the network 28 constitutes a separate call, requiring ver- 
ification of the user terminal 22, manual password entry 
for every Internet page requested would be extremely 
cumbersome. 

45 [0016] As shown in Figure 3, the novel arrangement 
of this invention combines some features from each of 
the prior art arrangements of Figures 1 and 2. An "In- 
tranet" 38 protected by a "firewall" 39 is accessible by a 
mobile handset 32. When the mobile handset 32 makes 

50 an access attempt, the call is routed to the remote ac- 
cess server 32 as previously described. If the call is di- 
rected to the Intranet 38, the RAS 32 routes the call to 
a WAP gateway 34 located within the "firewall" 39. This 
special gateway 34 is configured to connect only to a 

55 dedicated transcoder 35 which in turn is configured to 
connect only to one address, namely that of a dedicated 
access control unit 36. The link between the dedicated 
transcoder 35 and the dedicated access control unit 36 
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ensures that any access request from a mobile terminal 
32 is subjected to the enhanced security control proce- 
dures of the access control unit. 
[0017] The access control unit 36 is arranged to return 
a login request to the terminal 32 (converted from the 
standard HTML format to WML by the transcoder 35) 
and on receipt of the correct response (verified by com- 
parison with data stored in the security server 37) allows 
access to the requested page. 
[001 8] When the access control unit 36 authorises ac- 
cess, it also performs a further function. It causes aflag 
to be set in the transcoder, which identifies the user ter- 
minal 32. (This is known as a "cookie"). If a further re- 
quest from the same terminal 32 is received by the trans- 
coder 35, the cookie identifies the user 32 as having al- 
ready been authorised and instructs the access control 
system 36 to authorise access without repeating the 
login routine. The cookie is set to expire after a prede- 
termined period, if no access requests are made. Thus 
a login is required when a request is made unless an- 
other request has been made by the same user in the 
recent past. This allows access control to the secure da- 
ta to be maintained without the requirement for a login 
routine for every item of data. 
[0019] Security is provided by placing all the access 
elements 35, 36, 37, 38 (apart from the remote access 
server 33) inside the Firewall 39 and only allowing ac- 
cess to the secure Intranet 38 from the ports and IP ad- 
dresses relating to these elements. 
[0020] The operation of the system of Figure 3 will 
now be described in more detail with reference to the 
flow chart of Figure 4, which illustrates the following fif- 
teen steps: 

1 . The WAP mobile phone 32 dials into the Remote 35 
Access Server 33. Simple authentication takes 
place, using the username and password stored in 

the phone 32. A CLI check may also be performed. 
This procedure sets up an IP (Internet Protocol) 
connection. *o 

2. The phone 32 contacts the WAP gateway 34 by 
connecting to an I P address stored in the phone 32, 
and the phone 32 and gateway 34 negotiate a WTP 
session, and request a home page. *s 

3. The WAP gateway 34 is configured to only com- 
municate with to the Transcoder 35 so the request 
for the homepage (encoded in WML using WTP - 

as indicated by "WML/WTP" in Figure 4) Is translat- so 
ed by the WAP Gateway 34 to a WML request over 
HTTP (WML/HTTP) and passed to the Transcoder 
35. 

4. The Transcoder 35 (which is configured to only 55 
communicate with the access control unit 36 con- 
verts the WML request to HTML, and passes the 
translated request (HTML/HTTP) on to the access 



control unit 36, 



9. The WAP Phone 32 sends the results of the page 
to the WAP Gateway 34 as a WML formatted re- 
sponse using WTP over IP. 

10. The WAP Gateway 34 converts the WTP proto- 
col to HTTP and passes the result to the Transcoder 
35. 

1 1 . The Transcoder 35 converts the WML response 
to HTML and sends this on to the Access control 
unit 36 using HTTP. 

12. The Access control unit 36 checks the user- 
name, PIN and pseudo-random number against da- 
ta stored in and generated by the Security server 
37 to determine if the user should be authenticated. 

13. if the details do not match, a rejection is sent 
back to the user as an HTML page which is trans- 
lated by the Transcoder 35 and delivered through 
the WAP Gateway 34 to the phone 32, as in steps 
5-12. This process is repeated either until the cor- 
rect details are received or a maximum number of 
repetitions is exceeded. If the number of attempts 
exceeds the maximum the Security server 37 disa- 
bles all entries for the username. 



5. The access control unit 36 checks whether there 
is a valid cookie associated with the request. If a 
s valid cookie is found then the cookie is updated to 
reflect the new time of access (step 1 4) and the re- 
quested page is then returned as in step 15 below. 
If there is no cookie, (which will be the case if no 
previous access request has been made from the 
10 WAP phone 32, or if the time elapsed since the pre- 
vious access time recorded for the cookie is longer 
than a timeout stated in the cookie configuration) 
the access control unit 36 identifies the request as 
one requiring a login, and returns a prompt page (in 
is HTML over HTTP) to the transcoder 35, prompting 
for the Username and security codes: that is, the 
user's PIN and the pseudo-random code currently 
shown on the token. 

20 6. The Transcoder 35 receives the prompt page 
from the access control unit 36 and converts the 
HTML to WML and passes this page to the WAP 
Gateway 34. 

25 7. The WAP Gateway 34 converts the HTTP proto- 
col to WTP and delivers it to the WAP Phone 32 
where it is displayed. 

8. The user enters a username and PIN along with 
30 the six-digit pseudo-random number shown on the 
token at that time. 



so 
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1 4. If the Security server 37 determines the creden- 
tials match then the Access control unit 36 sets a 
"cookie" on the transcoder 35 against the identity of 
the WAP phone 32 using HTML and HTTP. (If a valid 
cookie already exists for the WAP phone, (see step 
5), the latest access time recorded by the cookie is 
updated). 

15. The Access control unit 36 then fetches from 
the data network 308 the original page that was re- 
quested and sends it as HTML or WML using HTTP 
to the Transcoder 35. If the page is in HTML, the 
transcoder 35 converts the HTML to WML. The 
WML page is passed, using HTTP, to the WAP 
Gateway 34 which converts the HTTP to WTP and 
delivers it to the WAP phone. 



Claims 

1. Access control system for controlling a gateway 
server (36) giving access from a terminal (32) to a 
telecommunications network (38), comprising: 

interface (33, 34, 35) means for connection to 
a telecommunications terminal, the interface 
means having first access control means (34) 
arranged to receive authentication data gener- 
ated automatically by the terminal (32) to permit 
access to the telecommunications network 
(38); 

and a secure access system connected to the 
interface means and comprising second ac- 
cess control means (36) to provide access to 
the telecommunications network (38) only to 
selected terminals 

the second access control means (36) having 
a user authentication database (37), and 
means for generating a login prompt signal for 
transmission to the telecommunications termi- 
nal (32) in response to a request for access, 
means for comparing a login signal received 
from the telecommunications terminal (32) with 
data stored in the user authentication database 
(37) and means for providing a connection to 
the telecommunications network (38). 

2. Access control system according to claim 1, in 
which the interface means includes a transcoding 
system (34, 35) for conversion of data between a 
system compatible with the telecommunications 
terminal (32) and a system compatible with the se- 
cure access system (36). 

3. Access control system according to claim 1 or claim 
2 wherein the interface means includes storage 
means (35) to store a value relating to telecommu- 
nications terminals which have previously request- 
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ed access, 

wherein the second access control means (36) 
is arranged to cause a value to be stored in the 
storage means (35) indicative of a telecommu- 
nications terminal (32) that has gained access 
to the telecommunications network (38), 
the interface means being arranged to retrieve 
a stored value from the storage means (35) and 
deliver it to the second access control means 
(36) with an incoming request, 
and the second access control means (36) is 
arranged to make a connection to the telecom- 
munications network (38) without the genera- 
tion of a login prompt if such a value is supplied 
by the interface means (35) in respect of the 
telecommunications terminal (32) making the 
request. 

Method of controlling access from a terminal (32) to 
a telecommunications network (38), the method 
comprising the steps of: 

establishing communication between thetermi- 
nal (32) and an interface means (33, 34, 35); 
transmitting an automatic request for access 
(1), accompanied by authentication data from 
the terminal (32) to the first access control 
means (33), 

forwarding the request for access (2, 3, 4), to a 
secure access control system (36) arranged to 
provide access to the telecommunications net- 
work (38) only for selected terminals (32); 
transmitting (5, 6, 7) a login prompt signal from 
the secure access control system (36) to the 
telecommunications terminal (32) in response 
to the request for access (4); 
returning a login signal (8, 9, 10, 11) from the 
telecommunications terminal (32) to the secure 
access control system (36); 
comparing (12) the login signal (11) with data 
stored in a user authentication database (37) 
associated with the secure access control sys- 
tem (36); 

providing a connection (15) to the telecommu- 
nications network (38) if the comparison (12) is 
validated. 

Method according to claim 4, wherein the interface 
means (34, 35) also converts data between a sys- 
tem (WML/WTP) compatible with the telecommuni- 
cations terminal (32) and a system (HTML/HTTP) 
compatible with the second access system (38). 

Method according to claim 4 or claim 5, wherein the 
second access control means (36) generates a sig- 
nal (14) in response to a successful comparison, to 
cause a value to be stored indicative of the telecom- 
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munications terminal (32) requesting access, 

incoming requests (3,4) for access are associ- 
ated with the stored values, 
and the access control means (36) is controlled s 
to make a connection (1 5) to the telecommuni- 
cations network (38) without the generation of 
a further login prompt (5, 6, 7) if such a stored 
value is provided in respect of the telecommu- 
nications terminal (32) making the request. 10 
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